Limit access of SSH user to applications iptables and ip6tables

Question

I'm using ubuntu 22.04 and want to login with an ssh user that has only access to iptables and ip6tables. So the user should login and can only input, delete and update iptables and ip6tables, nothing else.

The reason I would like to do is, is that I only allow access to port 80 and 443 on my webserver to the ip-range of Cloudflare. Every night I check if Cloudflare has updated their ip-range by reading this file https://www.cloudflare.com/ips-v4/ and then update the ip-range in my iptables with a php script. Access to ssh is limited to my ip-address in the firewall and the SSH user "iptables" can only login with my ip-address by adding AllowUsers to my sshd_config.

Is it possible to only allow the SSH user "iptables" to have access to iptables and ip6tables (input, update and flush) and how do I have to configure this user?

Answer 1

So, have a daemon running on your server with the necessary privileges (CAP_NET_ADMIN, at the very least, possibly full root access), and trigger it every day. You already have the PHP script! So, run it as root on the server, regularly, as a systemd-timer unit or through cron, done; no need to involve manually logging in.

You can't generally give a user such privileges; you can do for processes as root. So, no matter how you solve it, it will involve a privileged program getting the list. Hence my recommendation to cut out the middleman altogether and don't use SSH. You can of course decide to use SSH to copy over the updated list, and have a process regularly check for such updates; but in the end, that sounds more complicated than running what you do locally on the server.